Amendment 001 to SB1341-17-RP-0007 

Cybersecurity Research Development Implementation Support Services 


Response to Questions 
Amendment 002 


# 

Section of RFP 

RFP Page Referenced 

Paragraph/Section 
of Page: 

Description of Question 

Response 

1 

Sec. L.l(a) 

90 of 114 

2nd paragraph below 
title 

This paragraph references Standard Form 1449; however, RFP SB1341-17-RP-0007 was 
issued with Standard Form 33. Consequently, there is no NAICS code specified nor is there 
a small business standard identified on the SF33. Will the Government please identify any 
applicable NAICS code(s) and small business size standard? 

The NAICS code for this effort is 541519 - Other computer related services with a small business size 
standard of $27.5 million. 

Reference updated provision 52.204-8found under RFP Section K.2. 

2 

Sec. L.2 

90 of 114 for L.l(b 

93 for L.2 

100 for L.2 Section 5.0 

3rd paragraph below 
title for L.l.(b); L.2 page 
93 section titled Proposal 
Volume Requirements, 
L.2 Section 5.0 page 100 
the last paragraph on 
page 

This section of the RFP indicates that the SF1449 (not provided) can be used to submit our 
response to SB1341-17-RP-0007 and we assume the SF33 can be used instead. Please confirm. 

However, Section L.2, page 93 in section titled Proposal Volume Requirements, there is a 
requirement to provide a cover letter (letter of transmittal). The same paragraph requires a 
title page as first page to be completed in accordance with FAR 52.215-1. 

L.2 Section 5.0 Price Requirements for Volume V requires the SF33 be used as the cover sheet 
(or first page) of the Price/Cost volume. 

Is it the Government's intention that the front matter for Volumes 1 through IV should be 
ordered as follows: 

Cover/Transmittal page 

Title Page 

Table of Contents 

Table of Figures 

List of Tables 

Glossary of Abbreviations and Acronyms? 

And that front matter for Volume V should be as follows: 

Signed, completed SF33's 

Title Page 

Table of Contents 

Table of Figures 

List of Tables 

Glossary of Abbreviations and Acronyms? 

Offerors shall submit a complete response in accordance with instructions provided in RFP Section L.2 
"Instructios to Offerors - FAR 52.212-1 Addendum to Instructions to Offerors" 

3 

Sec. L.2 

93 and 96 

The table of Volumes 
and page limitations on 
page 93; first line on 
page 96 

On page 93, the table shows 150 pages for Volume II, Technical Approach. However, the 
first line on page 96 indicates that the page limit is 75 pages, inclusive of all subsections. 

Which page limitation is correct? 

As per Amendment 001, posted 04/04/2017, the correct page limiatiom for Volume II is 150 pages. 

4 

not give 

93 and 96 

not given 

There is a big discrepancy in the number as page 93 states there is a 150 page limit and 
page 96 states there is a 75 page limit. This makes a big difference when planning our 
responses, and would be beneficial to know before the official question responses are 
issued. 

As per Amendment 001, posted 04/04/2017, the correct page limiatiom for Volume II is 150 pages. 

5 

Sec. L 

97, 98,100 

2nd par on pg 97, 3rd 
para on pg 97, last 
bulleted, para on page, 
1st para on page 100 

Please define "major subcontractor." 

For the purposes of this solicitation, a "major" subcontractor is considered any first-tier subcontractor. 

6 

Sec. L 

90 

1(a) 

There does not appear to be an SF1449 as described, "The NAICS code and small business 
size standard for this acquisition appear in Block 10 of the solicitation cover sheet (SF 
1449)." Does the Government intend to provide a SF 1449? 

No, the Government does not intend to provide a SF 1449. Offerors shall reference the updated provision 
at 52.204-8found under RFP Section K.2, and shall submit proposals in accordance with the instructions 
found in section L.2 of the RFP. 
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7 

SF 33 

1 

Box 9 

The SF 33 states "Sealed offers in original and 1 copies for furnishing...will be received at 
the place specified in item 8..." However, page 94, paragraph 5 of the RFP states, 
"Electronic Submission of Proposal." Does the Government anticipate an email submission 
as well as a copy delivered to its headquarters office at 100 Bureau Drive Stop 1640, 
Building 301 Room B129, Gaithersburg, MD 20899. If an original and 1 copies is required 
for delivery, what type of media is required - i.e. physical hardcopy, digital softcopy, etc...? 

The Government will accept ONLY Electronic Submissions as per instructed in RFP Section L.2 "Instructions 
to Offerors - FAR 52.212-1 Addendum to Instructions to Offerors" 

8 

Sec. L 

94 

5 (Electronic Submission 
of Proposal) 

If this is an electronic submission, is there a file size limit for each volume we should 
adhere to? 

The maximum email message size is limited to 25 Megabytes. 

9 

Schedule of Labor 
Categories 

18 & 19 

Minimum Education 

The Minimum Education requirement for Program Manager II and III implies individuals 
must be certified as a Project Manager Professional (PMP) at the time of the proposal 
submission. We recommend the Government add language to state the PMP certificate 
must be obtained by date of award or within 90 days after award? 

Within 90 days of award is acceptable. 

10 

Sec. L 

94 

1, Page Limitations 

Would the Government like a Compliance Matrix included as part of the submission? If so, 
we recommend the Government not include this matrix in the page count limitations. 

A Compliance Matrix is not a requirement when submitting proposal responses; If Offerors submit 
responses containing a Compliance Matrix, it will count towards the page count limitations. 

11 

Sec. L 

96 

2.1 Sub-Factor 1 - 
Project Plan for IDIQ 
Contract, Paragraph #2 

Section 2.1, Paragraph 2 states, "Finally, the offeror shall submit its list of proposed labor 
categories for the IDIQ contract. The offeror's proposed IDIQ labor categories shall match 
the Government's list of required IDIQ labor categories, including the descriptions and 
minimum qualifications for each labor category." This requirement seems to imply the 
government would like the offeror to list out the Schedule of Labor Categories located 
between pages 7 and 26 in the RFP in the offeror's Volume II Technical Response and 
this would be inclusive in page count limitation. Is this the government's intent or has 
the offeror misunderstood the requirement? 

The reason the offeror has inferred this is because the requirement subsequently states, 
"However, offerors may also propose additional labor categories for the IDIQ outside of 
those required by the Government. The offeror shall clearly identify any labor categories 
being proposed that are not on the Government's list of required labor categories. The 
offeror shall clearly state the labor category title, description, and any minimum 
qualifications for each labor category proposed. The proposed list of IDIQ labor categories 
may be submitted as an "attachment" to this volume of the proposal and will not count 
towards the page count limitations of this volume." 

As such, our interpretation of the requirement is to include the Schedule of Labor 
Categories in the technical response which will be included in page count limitations and 
propose additional Labor Categories as attachments to the Technical Volume and those 
will not be included in page count limitation. Government clarification will be helpful. 

Offerors' Technical Reponse shall include the list of proposed labor categories for the IDIQ contract which 
shall match the government's list of required IDIQ labor categories, plus any additional labor categories 
being proposed by the Offeror. The offeror shall deary identify any labor categories being proposed that 
are not included in the Government's list of required labor categories, and shall clearly state the title, 
description, and any minimum qualifications for each labor category proposed. However, the proposed list 
of labor categories for the IDIQ, inclusive of the Government's required labor categories and any 
additional labor cateaories proposed by the offeror, may be submitted as an attachment to this volume of 

the proposal and will not count towards the page limitations. 

12 

Sec. J_Sample Past 
Performance 

Questionnaire 

2 

4 

Some of our References would like the Government to consider modifying the fill-in box foi 
"Description of the contract/order work:" to accommodate more text to fully describe the 
work performed. We recommend the Government expand the description box or allow an 
addendum to each past performance questionnaire, such that the offeror's References 
could substantially discuss the specific details of work performed? 

If the Past Performance Questionnaire template provided in the RFP does not allow enough room for a 
given section, references may attach a typed addendum to a given questionnaire to expand on such 
sections. However, Offerors shall submit those questionnaires that use addendums such that the 
addendum is one with the questionnaire and is easily correlated to the subject questionnaire. 

13 

C3.1.4.g 

32 

not given 

Does a contractor have to show direct experience with "developing an economic and social 
impact evaluation of the state pilots funded under the NSTIC State Pilots Cooperative 
Agreement Program," or can a contractor show that they have the transitive skills to 
perform those tasks? If it is the former and a contractor has to show direct knowledge, we 
feel that his will limit the competition and heavily favor the incumbent. 

The demonstration of the transative skills needed is acceptable. 

14 

L.2 

100 

not given 

Can the past performance questionnaires be submitted for IDIQ contracts, or do they need 
to be for standalone contracts and individual task orders? 

Past Performance Questionnaires may be submitted for IDIQ contracts, Task/Delivery orders, BP As, Call 
Orders and standalone contracts 

15 

Sec. J TO#4 

not given 

not given 

Does this Task Order require an approach that would have a large team of full-time SMEs 
that have expertise across the subject areas? 

No. It is expected that the work would utilize experts in very short blocks of time (no more than 80 hours 
per requirement), and the requirements are expected to be intermittent. 


















Amendment 001 to SB1341-17-RP-0007 

Cybersecurity Research Development Implementation Support Services 


Response to Questions 
Amendment 002 


16 

Sec. J TO#4 

not given 

not given 

Is NIST looking for the ability to pull in the expertise for short periods of time that 
presumably are working on other programs/projects? 

That is possible. Resources in the past on similar task orders have been utilized for very short periods of 
time from other Task Orders so long as there was no significant impact to the other TO. 

17 

Sec. B.l 

19 

2 

What is the reasoning for 5 years of IT experience in computer security for the Program 
Manager 3 - Contract Level. Will 5 years of IT experience be acceptable, even if it is not 
directly related to computer security? 

The Program Manager 3 needs to have a fundamental understanding of a broad range of computer 
security topics, how they inter-relate, how they can potentially interact with other topics, and what the 
general concerns are that NIST addresses for other government agencies. A candidate with 5 years IT 
experience may be considered, but they should demonstrate as much knowledge about computer security 
as possible. Classes or other formalized training will be taken into consideration. 

18 

Block 9, SF 33, Due 

Date 

1 

Block 9 

Various religions have major holidays that involve travel and time off during April. We 
respectfully request a 10 days extension of the proposal due date to ensure that we can 
obtain the signatures for required (up to 8) past performance questionnaires. 

The Government does not intend to issue an extension to the proposal due date. 

19 

Sec. J TO#5 

5 

Item 8 in the 

Deliverables table that is 
at the top of the page 

The Description says: "Evidence of contribution to standards for a". Will the Government 
please provide the rest of the Deliverable description? 

It should read "standards fora." Meaning multiple standards forums. 

20 

4.0 Past 

Performance 
Requirements; 
Factor C - Past 
Performance; 2.4 
Specialized 
Experience 

100 of 114; 112 of 114; 
97/98 of 114 

2; 4; 3/1 

Per page 100 of the solicitation, "Offerors are directed to provide completed Past 
Performance Questionnaires on no more than eight (8) of the offeror's most recently 
completed Federal Government or Commercial contracts for services similar in scope to 
those of this requirement, for work completed or substantially completed within the last 
three (3) years." Additionally, Section M states "The Government will only consider past 
performance of the Offeror's projects that were completed or substantially completed 
within the past three years." 

However, pages 97/98 of the solicitation state, "To the extent possible, any identified 
prime offeror or major subcontractor/team member corporate experience performed 
within the past five years should be traceable to the information provided in Volume IV, 
Past Performance." 

Are there different requirements for the Past Performance Questionnaires and 
Specialized Experience sections? Are PPQ projects within the past three years, but 
Specialized Experience examples can be within the past five years? 

Yes, the Past Performance Questionnaires and Specialized Experience sections are different and have 
different requirements. 

21 

not applicable 

not applicable 

not applicable 

Can the government clarify or provide an estimate to how many anticipated awardees are 
expected for this multiple award IDIQ? 

The Government does not have a predetermined number of awards it intends to issue as a result of the 

REP 

22 

not applicable 

not applicable 

not applicable 

Are there any incumbent contractor(s) to Task Order 1 for National Vulnerability Database 
Analysis Support? If so, who is the current incumbent for Task Order 1? 

Yes. The Incumbent is Trusted Security Alliance, LLC. 

23 

not applicable 

not applicable 

not applicable 

Are there any incumbent contractor(s) to Task Order 2 for Computer Security Resource 
Center and National Vulnerability Database Development Support? If so, who is the 
current incumbent for Task Order 2? 

Yes. The Incumbent is Trusted Security Alliance, LLC. 

24 

not applicable 

not applicable 

not applicable 

Are there any incumbent contractor(s) to Task Order 3 for Support to Validation Programs? 
If so, who is the current incumbent for Task Order 3? 

Yes. The Incumbent is Trusted Security Alliance, LLC. 

25 

not applicable 

not applicable 

not applicable 

Are there any incumbent contractor(s) to Task Order 4 for Variable Subject Matter Expert 
(SME) Support? If so, who is the current incumbent for Task Order 4? 

Yes. The Incumbent is Trusted Security Alliance, LLC. 

26 

not applicable 

not applicable 

not applicable 

Are there any incumbent contractor(s) to Task Order 5 for Technical Analysis and 

Document Development in Support of the National Strategy for Trusted Identities in 
Cyberspace? If so, who is the current incumbent for Task Order 57 

Yes. The Incumbent is Trusted Security Alliance, LLC. 

27 

not applicable 

not applicable 

not applicable 

Are there any incumbent contractor(s) to Task Order 6 for NIST Special Publication SP 800- 
118 Support? If so, who is the current incumbent for Task Order 6? 

Yes. The Incumbent is Trusted Security Alliance, LLC. 

28 

not applicable 

not applicable 

not applicable 

Are there any incumbent contractor(s) to Task Order 7 for Research related to Internet of 
Things (loTs) Architecture and Cybersecurity Risk Management Framework? If so, who is 
the current incumbent for Task Order 7? 

Yes. The Incumbent is Trusted Security Alliance, LLC. 

29 

not applicable 

not applicable 

not applicable 

Are there any incumbent contractor(s) to Task Order 8 for Program and Technical Services 
to Support the National Initiative for Cybersecurity Education (NICE) Effort? If so, who is 
the incumbent for Task Order 8? 

Yes. The Incumbent is Trusted Security Alliance, LLC. 
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30 

not applicable 

not applicable 

not applicable 

As this is a small business set-aside, does the government require that the small business 
Prime Offeror perform 51% of work for each task order? Or will the Government require 
that 51% of the work be performed over the life of the IDIQ contract across all task orders? 

FAR 52.219-14 "Limitations on Subcontracting (Jan 2017)" is applicable to this solicitation. Offerors shall 
read and comply with FAR 52.219-14 "Limitations on Subcontracting (Jan 2017)" for details on these 
constraints. However, the general answer to the question is that it is over the life of the IDIQ contract. 

31 

Sec. 5.0.B 

102 

2 

Page 102, Section 5.0.B says "The Offeror shall clearly identify a total price for each 
separate optional task or option period." Does the government want to see a task order 
total price inclusive of optional tasks or should the optional tasks totals be kept separate? 

For all task orders, the Offeror shall provide sufficient supporting documentation to show its proposed 
total prices by tasks identified in each task order PWS. Offerors shall propose a total price (or ceiling price, 
for labor hour or hybrid task orders) for each task order. The "total price" of the task order shall include 
any and all base and option tasks/periods and travel. Additionally, the supporting documentation for each 
task order shall demonstrate how the total prices were derived, and shall show the derivation by task. For 
any task orders with optional tasks or option periods, the Offeror shall clearly identify a price for each 
separate optional task or option period, as delineated in the instructions in Section L.2. 

32 

not applicable 

not applicable 

not applicable 

Due to the complexity of the response requirements that Offerors are to submit a 
complete response for all eight task orders, inclusive of key personnel resumes, would the 
government consider providing an extension of the deadline for proposal responses? 

The Government does not intend to issue an extension to the proposal due date. 

33 

FAR 52.212-1 

ADDENDUM TO 

INSTRUCTIONS TO 

OFFERORS, 

Electronic 

Submission of 
Proposal (a) 

94 

5th Paragraph/Last 
Paragraph 

Can the government confirm that electronic submission of proposal is to the listed emails 
for Contracting Officer keith.bubar@nist.gov and Contracting Specialist 
chantel.adams@nist.gov on page 93? 

The Government will accept ONLY Electronic Submission as per instructed in RFP Section L.2 "Instructions 
to Offerors - FAR 52.212-1 Addendum to Instructions to Offerors." 

Yes, those are the correct email addresses. 

34 

3.3 Sub-Factor 3 - 

Transition Plan 

99 

4th Paragraph 

"The transition should be no less than 60 days and no more than 90 days for startup, from 
contract award date to performance start date." If the contract award date for the base 
IDIQ is September 2017, can the government provide or confirm when the "performance 
start dates" are for each of the eight task orders? 

Offerors shall assume that all task orders would begin in the base period of the IDIQ contract. However, 
specific start dates for each task order cannot be provided. 

35 

3.3 Sub-Factor 3 - 

Transition Plan 

100 

4th bullet 

The RFP indicates that Offeror's transition plan shall address "Dated milestones for each 
step of the plan" - can the government clarify if it requires milestone dates for each of the 
eight task orders? If so, can the government provide anticipated start dates for Task 

Orders 1-8? 

The instructions for the Transition Plan in Section L.2 of the solicitation, specifically in Section 3.3 of Section 
L.2, have been amended to remove the requirement for the Transition Plan to include "Dated milestones 
for each step of the plan." Offerors need not include specific dates for each step. However, offerors shall 
include specific time frames in which each step will be completed (e.g. "within XX days of completion of 

Step YY") in the Transition Plan. Offerors shall assume that all task orders would begin in the base period 
of the IDIQ contract. 

36 

TO#l, Section 4.1.2 

2 

Paragraph 2 & 3 

TO #1 Section 4.1.2 discusses analysis of vulnerability data, and developing a triage process 
for that analysis. What is the current approach to validating the vulnerabilities? Are the 
vulnerabilities being re-created and tested on a VM or other representation of the 
vulnerable software? In the documentation it said there was an average of 20 minutes of 
analysis per vulnerability, which does not seem consistent with re-creating the 
vulnerability. 

An initial description of the vulnerability is produced by the vendor reporting the vulnerability. The analyst 
takes the description, and along with any information that can be found on specific research sites, will 
perform a risk categorization and classification using CVSS. Vulnerabilities are not recreated as a part of 
the analysis. 

37 

TO#6, Section 4.1 

2 

Paragraph 2 

TO#6 - Section 4.1 outlines the first step as interviewing a maximum of 5 staff. Is it likely 
that the 5 staff members are in the same region, and can it be assumed that these 
interviews can occur in a span of a few days, as to reduce costs to one trip? 

All of the relevant staff are at the NIST Gaithersburg facility, therefore it is entirely possible the interviews 
could be scheduled within a few days unless someone is out of the office during that time period, (e.g., at a 
conference, on PTO, etc.) 

38 

TO#7, Section 4.1.1 

2 

Paragraph 2 

TO#7 - For Section 4.1.1 which discusses creating a survey of the Different loT 
Sectors/Verticals. This indicates that sources shall originate from Industry groups, business 
trade organizations, internet resources, and IT research and advisory committee. Will 
these sources and membership to these organizations be provided to the contractor? 
Additionally, will any loT Devices be provided for this TO to test and evaluate 
recommended practices, etc.? 

Contacts and information will be given as available, but it is also expected that the contractor should be 
bringing some expertise in the area to bear. Any membership fees necessary will be provided by the 
government, however, only with prior approval from the COR. This TO does not include actual testing of 
loT devices. This TO is intended to be at a higher level of abstraction than individual device testing. 

39 

Task Order 3. 5.2 

Documentation 

Support 

3 

7 

In Task Order 3, all tasks under 5.2 Documentation Support are listed as labor hour tasks. 
However, they are listed as Firm Fixed Price in the solicitation on page 103 of 114. Are 
these tasks Labor Hour or Firm Fixed Price? 

All tasks under Section 5.2 of TO 3 should be Labor Hour. 

Section L.2 has been amended to reflect this correction. 
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40 

Amendment 1, 
Q&A 

1 

Question 10 

The answer in Question 10 of the Q&A released with Amendment 1 indicated that "Past 
performance of individual members from their past employers is acceptable."lf an Offeror 
(Prime or Subcontractor member) were to use past performance from an individual 
member from their past employers, then: 

1) Can the government clarify what information would be required for the PPQ in 
regards to contract value, contract type, etc for that individual member past 
performance? 

2) Would the past employer be the customer reference that completes the 
questionnaire? 

There may be a misinterpretation of the Government's answer to Question #10 from Amendment 001. The 
Government was saying that Offerors can submit past performance of individual members of their team, 
even if those individual members were working for different employers at the time of performance. 

However, the past performance effort the references are evaluating the individual on shall still be for a 
recently completed government or commercial contract for services similar in scope to those of this 
requirement, for work completed or substantially completed within the last three years. Therefore, the 
information given on the PPQ with regards to contract value, contract type, etc. should still be the 
information for whatever contract/order the individual member performed under and is being evaluated 
on. The actual agency/entity that received the services of the company or individual should still be the 
reference that completes the PPQ. 

41 

Section L; Section 

5.0- Price 
Requirements; 
Subsection B 

102,103 and 104 

2, and Task Order 
Instructions for TOs 4, 5, 
and 8 

The Government states, "For any task orders that include travel requirements, the offeror 
shall clearly identify its total proposed ceiling price for estimated travel costs." Also, in 
Subsection B in the detailed Task Order paragraphs, under Task Orders 4,5 and 8, the 
Government states, "Offeror shall estimate a total ceiling travel cost of $15,000.00", 
"Offeror shall estimate a total ceiling travel cost of $20,000.00", and "Offeror shall 
estimate a total ceiling travel cost of $20,000.00" for Task Orders 4, 5, and 8 respectively. 

Subsection B does not specify a requirement to provide any supporting documentation for 
these proposed ceiling prices for estimated travel costs. Is it the Government's direction 
that Bidders include these referenced ceiling travel costs with no supporting 
documentation? 

That is correct. Offerors need not provide supporting documentation for their proposed ceiling travel 
costs, since the ceiling travel costs have been pre-defined by the Government. 

42 

PWS 2. Scope of 
Work 

30 of 114 

2nd paragraph 

The support needed to ensure a successful mission ranges from internal 
programmatic support to technical expertise and research consulting in a wide range of 
cyber and information security areas." 

When performing any "research consulting", if we include intellectual property from our 
corporate Internal Research and Development (IRAD) efforts, would this preclude us from 
selling our products? We are concerned about OCI issues. 

There is nothing in this contract that would preclude the Contractor from using its previously developed IP 
in commercial products. Nothing in this contract should affect background IP (IP developed prior to the 
contract work). 










